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Which one is the most difficult to protect? 


Data at Rest Data in Process Data in Motion 


Motivation 


Want to ensure object's content gets cleared? 


Reality: 


WILL HANDLEIT 


memegenerato εί 


Ref: https://www.dynatrace.com/resources/ebooks/javabook/how-garbage-collection-works/ 


Unreachable 
objects 
Garbage 


Forgotten References 
> Memory Leak 


Reachable objects 


Garbage Collection 
Roots 


Resetting StringBuilder objects 


Reachable, unused StringBuilder objects may contain sensitive information 
A heap dump will reveal the sensitive info 
Don't just rely on GC to clear sensitive content 


Destroy by overwriting all critical data 
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YOUR PROBLEM 


memegenerator.net 


Ref: https://www.pentestpartners.com/security-blog/how-to-extract-sensitive-plaintext-data-from-android-memory 


java.security.* falls short 


OVERVIEW PACKAGE USE TREE DEPRECATED INDEX HELP 


PREV CLASS NEXT CLASS FRAMES NO FRAMES ALL CLASSES 
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD 


compactl, compact2, compact3 
java.security destroy 
Class KeyStore.PasswordProtection public void destroy() 


throws DestroyFailedException 
java.lang.Object 


java.security.KeyStore.PasswordProtection Clears the password. 
All Implemented Interfaces: Specified by: 
KeyStore.ProtectionParameter, Destroyable destroy in interface Destroyable 
Enclosing class: Throws: 
KeyStore DestroyFailedException - if this method was unable to clear the password 


public static class KeyStore.PasswordProtection 
extends Object 
implements KeyStore.ProtectionParameter, Destroyable 


A password-based implementation of ProtectionParameter. 


Ref: https://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.PasswordProtection.html 


How does Androsia help? 
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* Androsia determines last use of objects at a whole program level 
ο A summary based inter-procedural data-flow analysis 


ο Androsia instruments bytecode to clear memory content of objects 


Eclipse Memory Analyzer 


Heap Dump - Before WB LogCat | [c], Inspector 5: | © Console 
Instrumentation @ 025016288 

del User 

£8 com.example.getset 


de) class java.lang.Class  Oxa4ce11e8 
@, java.lang.Object 
«δὶ dalvik.system.PathClassLoader @ Oxa4fd29f0 


Heap Dump - After 1: 
1.148 (retained size) 
Instru mentation o GCroot: Unknown, System Class 
Statics | Attributes | Class Hierarchy | Value 
Type Name 
ref SstaticOverhead 


ref static secret 


Overview 
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5. Convert 


4. Transform/Instrument 


3. Convert 


Framework behind Androsia 


Static Code analysis using Soot 


* Soot - framework for Java (bytecode), 
enables development of static 
analysis tools 


* Provides three-address code called 
Jimple 
- ο... implementing dataflow 
analyses: 
e |ntra-procedural 
e |nter-procedural 


* Soot was missing a Dalvik to Jimple 
transformation module 
* and then came Dexpler 


Dalvik 


Java Scala Java 
source source source 


TamiFlex 
output 


JastAdd parser 


Produce '',''" IR 


Analyze, Optimize and Tag 


z ' 
' Generate Bytecode 


messages 


Optimized/transformed class files + 


| Java Virtual Machine | 


Soot Workflow 


FlowDroid 


* Android apps don't have a main method 


e FlowDroid generates dummyMainMethod() 


* Models Android's lifecycle methods & 


callbacks 


Further reading: 
Instrumenting Android Apps with Soot, http://www.bodden.de/2013/01/08/soot- 
android-instrumentation/ 


Dexpler: Converting Android Dalvik Bytecode to Jimple for Static Analysis with Soot, 
https://arxiv.org/pdf/1205.3576.pdf 


_ onCreate() 


User navigates 
to the activity 


| 


Apps with higher priority —  — 


need memory 


γ 


onsStart() «4— — — ——— 
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onResume() «^. 


Y 


Another activity comes 
into the foreground 


Y 
onPause() 
The activity is 
no longer visible 
Y 
onStop() 

The activity is finishing or 
being destroyed by the system 
γ 
onDestroy() 


Y 


User returns 
to the activity 
| 


onRestart() 
A 


User navigates 
to the activity 


Img. ref: https://developer.android.com/reference/android/app/Activity.html#ActivityLifecycle 


Demo 


SB Objects — In what scopes can they exist? 


Local variable 


public void foo() { 


SB x, y, Z; 
[x = new SB("s3cr3t^");]! 


[y = new SB(“p@55w0rd”) ; ]2 


[if(v.length() < οι 


class MyClass { 


static SB x; Static Field 


public static void foo() { 
SB y, z; 


[x = new SB("s3cr3t");]! 
[y = new SB(“p@55w0rd”) ; ]? 


[if(y.length() < x.length()) { 


_ Abbrev. 
[z = gl StringBuilder 


) elsef{ 


par 09 static void bar() { 


oystem.onunt.printlni(StaticSB.x); 


} 


Instance Field 


class MyInstanceFieldSB 
{ 


public static void foo() { 
MyInstanceFieldSB obj = new 
MyInstanceFieldSB(); 
SB str- new SB(); 


private SB x; 
public SB getSBx()( 


OD .SetSBx(tsLr) return x; 


S.O.P(obJ.getSBx()); - 
public SB setSBx(SB str)( 


και ο 


Demo - Static SB 


public class MainActivity public class CheckStatic { 


{ 


protected void onCreate(Bundle b) { public void useStaticField() 


{ 
S.O.P(User.static secret); 
bar(); 

} 


User.static secret- new SB("p@55 

CheckStatic cs= new C Static(); 

OS mseotcE Tc Bg ede 
) 

) 


public void bar() 
{ 
S.O.P(User.static secret); 
} 
} 


public class User { 
public static SB static_secret; 


} 


But life is not always so simple 


- There can be loops 


DEMO 


Approach 


What's there in a line of code? 


* What data are we interested in? 


Next few slides: 
ο Whatis live variable analysis? 


* How to compute Summary for hat d 
e.g. Summary(foo) - ( x, | iven es S length ())) 


> Step 1: Compute def-use set for every statement 
> Step 2: Compute LV 
> IV & LV 


entry exit 


— & LV. set for every statement 
> Last Usage Point (LUP) for Local / Static Field Ref. (SFR) within a method > Summary 


* How to use summaries to compute LUP for a SFR at a whole program level? 


Live Variable Analysis 


* |V analysis determines 


* For each statement, which variables must have a subsequent USE prior to 


next definition of that variable 
public void foo() { 


SB x, y, Z; 
[x = new SECM ιο επ] 
[y = new SB(“p@55w0rd”) 14 


Last Usage Point of a var = 


Last stmt where that var was live [x = new SB(™hello”) 71” 


[if(y.length() < x.length()) { 
[z =y;]° 

} else{ 
[z = y.append (“007”) 118 

ΤΡ 

[x = z;]' 


) 


Abbrev. 
SB: StringBuilder 


1. Compute def-use Set 


* def set: variables defined in the statement 


* use Set: variables evaluated/used in the statement 


Abbrev. 


SB: 


StringBuilder 


public void foo(){ 
SB X, y, Z; 


[= = new SB(“s30r3t” j); T- 
[y = new SB("p855wOrd") ;]* 
[x = new SB(“hello”) ;]? 
[if(y.length() « x.length()) { 
[2 = ye)? 
} else{ 
[z = y.append(“007”);]° 
lake 
[x = z;]' 


1 def(l) με 
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1X } 
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Ø 

{z} 
{z} 
{x} 


1. Compute def-use Set (cntd.) 


SB x, y, a 
ποιος,» ΠΠ 
y = new SB("p855wOrd");]^? 
x = new SB("hello^");]? 
if(y. a < x.length()){ 
[z = ys]? 


x = NEW 


else{ 
[z = y.append(“007”);]° 


LV Data Flow Direction 
LVentry(2) : 


=X 
LV exit (2 | y 


LVentry(2) 


if(p). " 


LV 
uM κ΄ Ιν, (2) Oa 


Z- 2 LV exit (4) 


ANE " M. LVentry(3) ve 
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LVentry(8 


a 


2. Compute LV... (/) δι Verl) 


* Hence the flow equations can be expressed using the two functions: 


LV exit (I) = Ø ) if l = biast 
U, e succ [I] ΜΝ ον (s)} „otherwise 


LV ary U) = ( LV ext (D) - def(/) ) U use(l) 


Eee _  _  ____ 1 
Summary(foo) = (Local, LUP( Local / Aliases ) } 


(/) & ἐν...) OR 


{ StaticFieldRef, LUP( SFR / Aliases ) } 


3: Compute LV 


entry 


public void foo() { 
SB x;SB y;SB z; 


(I) =( LV (1) - def(J) ) U use(/) 


Modus exit 


[x = new SB (Ys3cr3r7) 57" 
„Wenyl2) 19} 


παπι DIA] MELLE wav 


LVentry(3) 
1 {x} Ø [x = new SB(“hello”);]? 
2 {y} Ø 2 9 {y} aUa) Ὅν) 
y y [if(y.length() « x.length()) ( 

3 {x} Ø 3 {y} {x,y} tr 5 

"— LVentry(>) {y} 
4 ὢ x yj 4 {xy} {y} d I5) {2} 
Ste di {y} 5 {y} zZ i ) else{ 
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6 
[z = y.append (“007”) 146 
Πο 2] 9 {ο} Ø [Μομίθ) {2} Val) {xy} 


LVentry( 7) { Z } LV exit(4) { y } 


LV it(7) Ø 


Summ(bar) = (sfr, ®} 


public void foo() { 


Summ(bar) = {sfr, B5} 


Al — 
A2 -------- public void bar() { 
Summ(bar) Bl 

A3 bar()« — B2 Å 

| Summ(baz) 

B3 baz ()« 
LV exit (A3) = LV entry(A4) = (0j | 
aa --- Vaxt (B3) = LVentry(B4) = (sfr, B5} 
A5 — B4 — 
LV. B5) = isfr, B5} 

} B5 sfr used ------ 


} 


public void baz () { 


C1 
C2 
C3 


Summ(baz) = {sfr, C4} 


LVentry(C4) = ἰδί C4} 


C4 
G5 
C6 
) 


sfr used 


{baz {str e4} 
{ bar, (sfr,B5) } 


Summary is computed in reverse topological order 


Program level last use for “sfr” happens at: 


i —————À 


d 


κ 


Summarizing: 


* What is live variable analysis? ν΄ 


* How to compute Summary for every method? 
e.g. Summary(foo) 2(x, if(y.length() < x.length())) 


» Step 2: Compute LV,.ı, δι LV.,;, set for every statement ν΄ 
> LVentry & Νο 7 Last Usage Point (LUP) for Local / Static Field Ref. (SFR) within a 


method > Summary 


» Step 1: Compute def-use set for every statement 


* How to use summaries to compute LUP for a SFR at a whole program level? ν΄ 


Instance Field Approach 


* Mark all classes which have StringBuilder Instance Field/s 
* Find their object instances 


* Track Last Usage of object instances & their aliases instead of SB 
Fields 


ο Add reset method/s to respective class 


Demo - Instance Field SB 


* Mark all classes which have StringBuilder Instance Field/s 
* Find their object instances 


* Track Last Usage of object instances & their aliases instead of SB 
Fields 


ο Add reset method/s to respective class 


DEMO 


Work In Progress 


* Test Suite development 
* CI/CD adoption 


Get in touch & contribute: 


| will be releasing the tool and documentation at the end of the 
conferencel 


Twitter: @samitanwerl1, 


Email: samit.anwer@gmail.com, 
LinkedIn: https://www.linkedin.com/in/samit-anwer-ba47a85b/ 
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Three address code 


public int foo(java.lang.String) 


// [local defs] 


rO := @this; 
rl := @parameter0O; 
if rl !- null goto label0; 


510 = rl.length(); 

rl.toUpperCase(); 

return 910; 
label0: 


return 2; 


/ / 


/ / 
/ / 
/ / 
/ / 


IdentityStmt 


Iro tm 

AssignStmt 
InvokeStmt 
Returnstmt 


